Catastrophic!
• Experts nervous about fallout from ransomware attack on top pharmaceutical company • Massive data-dump of confidential information could create easy targets for fraudsters, they warn • Local breach follows much bigger strike on Massy’s parent company
The fallout from the “massive” ransomware attack on Massy Jamaica Distribution Limited could be “catastrophic” for swathes of Jamaican consumers and companies, particularly those who are still unaware that their confidential data were left wide...
The fallout from the “massive” ransomware attack on Massy Jamaica Distribution Limited could be “catastrophic” for swathes of Jamaican consumers and companies, particularly those who are still unaware that their confidential data were left wide open on the Internet, experts have warned.
The company is one of the largest distributors of consumer and pharmaceutical goods in Jamaica, and a subsidiary of the multinational Caribbean group of companies.
The 17 gigabytes of data that were dumped on the Internet by cybercriminals on October 9 included personal information such as the names, addresses, taxpayer registration numbers, signatures, videos and pictures of Massy Jamaica employees and contractors, said one cybersecurity expert who has reviewed the information, some of which The Sunday Gleaner has seen.
It exposed, too, the salaries paid to employees; information about private and corporate customers; the profiles and banking information of suppliers; and details about Massy’s business model, including templates for products.
The result of the “massive” data-dump is that customers, employees, suppliers and the wider financial sector are now easy targets for hackers and fraudsters who are engaged in identity theft, the cybersecurity expert told The Sunday Gleaner on Friday.
“The data-dump can be used to impersonate staff … make fraudulent requests to banks, customers and suppliers of Massy ... and cause stock prices to fall,” said the cybersecurity expert, who did not want to be named.
“For example, they (fraudsters) could call the banks and give them instructions because they know who the signing officers are, they have the banking details, they know the account number, they have copies of the signatures. So it opens them (Massy) up to fraud as well as their bankers, customers and suppliers. It could be quite catastrophic.”
But what’s worse for top Jamaican attorney Chukwuemeka Cameron is that the distribution chain has not publicly disclosed whether it has notified those individuals and entities impacted by the data-dump, which is a mandatory requirement under Jamaica’s Data Protection Act.
“Have they notified the data subject to say ‘hey, your information is at risk, please take the relevant steps to protect yourself’? That’s one of the obligations they have under the legislation,” said Cameron, a leading voice on data protection.
“We do not know the extent of personal data they hold so the public at large needs to know whether they need to change the password for their credit cards, or online banking. ‘Should I be taking steps to protect myself?’ They have failed to acknowledge that duty to the public.”
INCIDENT ‘HAS BEEN RESOLVED’
A day before the October 9 data-dump, Massy Jamaica confirmed, through a public statement, that it was the victim of a recent ransomware attack.
A ransomware attack occurs when hackers lock up victims’ data and demand exorbitant sums to return it. Cybercriminals are also known to copy sensitive files and threaten to post them publicly unless ransom payments are made.
The company, however, remained silent on whether customers’ data was impacted and said the incident “has been resolved” without saying how.
The Sunday Gleaner submitted a list of questions to Massy Jamaica on Friday, enquiring, among other things, whether data held by the company was encrypted at the time of the cyberattack and whether individuals and entities that may have been impacted by the breach as well as the Office of the Information Commissioner (OIC) have been notified, as is required by the data protection law.
The OIC is responsible for monitoring compliance with the Data Protection Act, which was passed in 2020, but is set for full implementation in November 2023 after a two-year grace period that commenced in December last year.
The law stipulates that suspected breaches must be reported to the OIC within 72 hours and that technical and organisational measures implemented by data controllers must include “pseudonymisation and encryption” of personal data.
“Much of the details you are seeking, I’m unable to disclose at this point,” said Patria-Kaye Charles, marketing and corporate communications manager at Massy Jamaica, in an emailed response to The Sunday Gleaner on Friday.
“Our assessment of data that may have been impacted by this incident is ongoing and we are working to notify the relevant stakeholders to mitigate any potential risks resulting from this incident,” Charles added.
Calls to Information Commissioner Celia Barclay on Friday went unanswered.
But attorneys say the effect of the grace period is that Massy will likely face no sanctions for the possible breaches of the law.
“However, the legislation makes an exception. If it is that she forms the view that a data controller doesn’t operate in good faith and operates in bad faith, they can still be sanctioned,” said one attorney referring to Barclay.
BIGGER STRIKE ON PARENT COMPANY
The cyberattack on Massy Jamaica follows a much bigger strike on its parent company, the Massy Group, based in Trinidad & Tobago, on April 28 this year.
A total of 215 gigabytes of data were stolen during the earlier attack, carried out by a separate group of hackers, and splashed across the Internet on September 19, according to the cybersecurity expert.
“That one was ten times larger than the massive Massy Jamaica data dump and contains far more sensitive information,” claims the expert.
“What that says is that they (hackers) were in the network for a while because to download that volume of data takes time. That’s not a one-day thing, they were in there for several days, possibly a week.”
According to the cybersecurity expert, the data dump from Massy’s T&T headquarters could have provided “useful” information for the cybercriminals who were behind the attack on its Jamaican subsidiary.
Legal experts said though the distribution chain has cast itself as the “victim” of a cyberattack, it could face a flood of lawsuits from individuals and entities whose data was compromised as well as punishing sanctions for breaches of the law.
As an example, one attorney pointed to Section 30 of the Data Protection Act, which he said places an obligation on data controllers to put in place the requisite technical and organisational measures to safeguard the confidentiality, integrity and availability of the data in their possession.
“They failed in two of their primary duties: to protect the confidentiality of the data because everybody’s information is out there now and when they could not access their system, when everything was locked up, they failed to protect the availability of the data,” the attorney opined to The Sunday Gleaner.
He conceded that the data stolen from Massy could have been decrypted after the hackers took control of the company’s network, but said the anguish suffered by those impacted by the data dump is enough for a lawsuit.
“Someone can be like ‘these people have all of my banking details, I can’t sleep because I hear ‘bout identity theft, I don’t know if them going into my account for scamming, I don’t know if they using my credit card and I can’t sleep and it’s causing me emotional distress’,” the attorney reasoned.
“Our courts recognise emotional distress.”